JP2007537474A - How to protect cryptographic assemblies by homographic masking - Google Patents

Abstract

The method involves changing an output of a homographic function (f), for all secret key (k), if x is an input and y equal to f(x+k), directly from a masked value x+m i(XOR type additive masking) to a masked value y+m i. The output change is performed using a composition of multiple transformations operating on GF (2 k>) with the addition of infinity, defined in the form (ax+b)/(cx+d), and transformations which exchange two points. Independent claims are also included for the following: (A) an electronic system comprising a cryptographic calculation process storing unit and a cryptographic calculation process processing unit (B) a computer program comprising program code instructions for the execution of the steps of a cryptographic algorithm implementing electronic assembly protecting method.

Description

  The present invention relates to a method for ensuring the security of an electronic assembly, implementing a cryptographic algorithm that uses a secret quantity such as a secret key. More precisely, this method can be applied to certain physical types, such as attacks known as higher-order differential power analysis, which attempt to obtain information about the secret key by examining the power consumption of the electronic assembly during the computation. The goal is to create a version of an algorithm that is faced with a dynamic attack and is not vulnerable.

1.1 Background The cryptographic algorithm considered here uses a secret key to calculate output information according to input information. These algorithms have many applications such as encryption, decryption, signature, signature verification, authentication or non-repudiation, and other operations. Numerous applications currently base their security on top of secret key encryption algorithms, such as DES, and more recently AES, which has become a worldwide encryption standard since 2000. See Joan Daemen, Vincent Rijmen: AES proposal: Rijndael (AES proposal: Rheindoll).

  The latest version is available on the Internet, http: // csrc. nist. gov / encryption / aes / rijndael / Rijndael. pdf. In cryptography, these cryptographic algorithms have been studied and proven to be safe against the best known attacks. Thus, for these cryptographic solutions, security depends primarily on the security of the secret key used. Unfortunately, neither the security of data items stored in the PC nor the security of passwords stored by humans can be taken seriously. Therefore, it is indispensable to store the secret amount in an independent secure module such as a smart card.

1.2 Problem: Protection of embedded algorithms Cryptographic algorithms are perfectly secure in the ideal mathematical world, but not in the real world. Smart cards emit energy, consume current, and as a result, information that depends on the secret amount escapes from the card every cycle.

  To be truly secure, the intermediate data of the algorithm must not provide any information about this secret quantity. In addition, new attacks are being developed. Please refer to the following documents.

  P. Kocher, J. et al. Jaffe, B .; Jun, “Introduction to Differential Power Analysis and Related Attacks”, Technical Report, Cryptographic Research Inc. 1998. http: // www. cryptography. com / dpa / technical / index. Available from html.

  T. T. et al. S. Messerges, “DPA Resistance Software Attack Using Secondary Power Analysis”, In Proceedings of CHES'2000, p. 1NC. 238-251, Springer-Verlag, 2000.

  These are known as higher order attacks (eg “secondary DPA”). This means that the attacker combines the information that escapes during the execution of the cryptographic algorithm more than once. In order to be protected from this type of attack, it is no longer sufficient that the intermediate data of the algorithm does not provide any information about the secret quantity. It must also be impossible to combine data obtained at different points in time to obtain arbitrary information about the secret amount during an attack.

1.3 Constraints In the solution to the problem, it should be possible not only to provide protection against DPA-type attacks, but also to extend it to “secondary DPA” and higher attacks. The solution must also meet reasonable constraints on execution time and the amount of memory used. One object of the present invention is that execution time and memory are multiplied by a small constant that can be achieved by the present invention, independent of block size or number of AES iterations, compared to implementations where safety is not guaranteed. .

  The present invention guarantees the security of AES against first, second, or more DPA type attacks, SPA attacks or other electronic attacks, and attacks over other hidden paths.

  The remainder of this document describes general solutions that are particularly suitable for the AES algorithm, but can also be applied to other cryptographic algorithms. All known solutions to this problem have been criticized for their performance level and their memory usage, and have been exposed to attacks published in the literature.

The present invention relates to a method for ensuring the security of an electronic system comprising a processor and a memory for performing a cryptographic calculation process stored in a memory, the cryptographic calculation process using a secret quantity k and a homographic of the following type: Use the function f.
When (cz + d) is not equal to 0, f (z) = (az + b) / (cz + d)
F (−d / c) = a / c

  The function f acts on the masking variable. This method masks directly from the masked value x + m_i (XOR type additive masking) when x is the input of the function f for any k and y = f (x + k) is the output of the function f. A number of transformations that act on GF (2 ^ k) with an infinite amount of addition, defined as (ax + b) / (cx + d), and a transformation that exchanges two points so that it becomes the value y + m_j This is to perform this operation using synthesis.

  The invention also relates to a system for implementing this method.

  The purpose of the method according to the invention is to ensure the security of an electronic system that implements a cryptographic calculation process using a secret key and an embedded system such as a smart card. The electronic system includes a processor and a memory. The cryptographic calculation process is installed in the memory of this system, for example ROM type. The processor of this system executes a calculation process using a secret key stored in a secret area of an E2PROM type memory, for example.

  The method according to the invention is to provide homographic protection.

  First, the general principle of protection will be described.

2.1 Decomposition Principle Each cryptographic system can be decomposed into several basic operations such as addition, XOR, etc.

In the case of AES, operations can be divided into two categories.
“Linear” operations that are easily protected by conventional additive masking. This is known and not the subject of the present invention.
-Excluding linear operations, there remains a single operation, namely a Rijndal Inv operation derived from an inverse operation in a finite field GF (256), etc., with 0 mapped to 0.
Our concern is exclusively to protect Inv operations.
The solution described applies to other similar operations.

2.2 Preparation Let K be a finite field. When AES K = G (256).
Assume that there are several implementations of K that correspond to implementations of addition and multiplication in K. For example, it is defined in [AES].

Assuming Inv is a modified Rheindoll inverse function [AES], ie
Inv (x) = 1 / x at K when x is non-null
Inv (0) = 0

Define K ′ by adding a point known as an infinite quantity to K.
Therefore K '= K∪oo

Inv ′ is defined as the following operation.
Inv ′ (x) = 1 / x at K when x is non-null and not equal to oo
Inv ′ (0) = oo
Inv ′ (oo) = 0

  The present invention considers that in calculating Inv, the present inventors can apply the composition of the operations of Inv 'and exchanging 0 and oo.

At K ′ for exchanging points a and b, E [a, b] is an operation of K ′.
If x is not equal to a or b, E [a, b] (x) = x
E [a, b] (a) = b
E [a, b] (b) = a

2.3 How to represent the operation Inv For any x in K (Inv is not defined in any K ′):
Inv (x) = Inv ′ (E [0, oo] (x))

  The protection principle is as follows: Inv 'is part of a moderately sized, synthetically stable group that differs from that of Inv. Consequently, protection that cannot exist in the case of Inv can be achieved in the case of Inv '.

  This group is defined as the set of functions

In the case of ac <> bd in any 4-uplet (a, b, c, d) of the elements of K, the present inventors define as follows.
Function HOM [a, b, c, d] = the following function:
HOM [a, b, c, d] (x) = (ax + b) / (cx + d) at K when (cx + d) is not equal to 0
HOM [a, b, c, d] (-d / c) = oo
HOM [a, b, c, d] (oo) = a / c

In order to implement Inv, we write the following function K ′-> K ′ that matches Inv in the set K.
Inv'oE [0, oo]

  The symbol “o” represents normal function composition.

We next write Inv ′ as the product of the homographic function.
Inv '= F_1oF_2o. . . oF_noG_1o. . G_n

  Each of the functions F_i and G_i takes the form of HOM [a, b, c, d].

Since Inv ′ belongs to a group, this decomposition is performed arbitrarily. For example, Inv ′ can be created by randomly selecting 2 ^* n−1 functions, recalculating the missing functions, and combining them.

We then obtain the following function K ′-> K ′ that matches Inv at K.
F_1oF_2o. . . oF_noG_1o. . G_noE [0, oo]

However, since these functions are all bijective at K ′, two points a and b can be calculated so that this function is equal to:
F_1oF_2o. . . oF_noE [a, b] oG_1o. . G_n

  These points are a = G_1 (... G_n (0)) and b = G_1 (... G_n (oo)).

The protection in the present invention will be implemented as follows.
1. F_1, F_2,. . . , F_n, G_1, G_n are generated. Each is described by 4 elements of K, ie 4 bytes in the line doll / AES.
2. We calculate a and b.
3. Next, the inventors calculate Inv by applying this series of operations.
4). There are several Invs in AES. The series of operations performed as defined in 1-3 may vary from one calculation to another.

2.4 How to protect the operation Inv In a secure AES implementation, y = Inv (x) is not calculated from x, but instead is calculated directly from the masked value x + m_i, thereby providing an intermediate value that provides information Without using x and y, we get y + m_j directly. Therefore, we have to calculate the following function:
y = Inv (x + m_i) + m_j

  Like Inv, this function can recognize many ways as a combination of basic operations in the form of HOM [a, b, c, d], exchanging two points.

It is also recommended to go further. Let K_i be an AES intermediate key. The operation x |-> Inv (x + K_i) can be directly protected in the same way. After exchanging the two points, this operation is equal to a particular HOM [a, b, c, d]: K '->K' in the group at any K, which is decomposed in the same way as in Inv it can. We need to decompose the following function in an implementation protected by an additive mask.
x |-> Inv (x + K_i + m_i) + m_j

  This is accomplished in the same way.

2.5 Improvements We can use several operations E [a, b] instead of one operation.

  It is clear that for each operation HOM [a, b, c, d] it can be assumed that a is equal to 0 or 1.

  The same method can be used to protect the implementation when additive or multiplicative masking is used, but this is not recommended. These maskings are not bijective or fix certain points, for example multiplicative masking does not mask zero. Any type of homographic masking is always bijective, but one needs to accumulate one of 257 values, which is not very realistic. That is, it cannot be stored in 1 byte.

  This document does not describe the entire AES protection implementation.

  Its purpose is to explain how to protect the most difficult nonlinear components to protect. The protection of the assembly may and must include other well-known conventional protections.

  The invention thus protects the assembly, which, in the particular implementation described, performs a cryptographic computation process using at least the function Inv (the inverse function in GF (2 ^ k) where 0 is mapped to 0 as in AES) The intermediate variable x of the computation is processed by additive masking x + m_i, m_i is a mask and + is an XOR operator, x is an input for any k and y = f (x + k ), This calculation is defined in the form of (ax + b) / (cx + d) so that the masked value x + m_i directly changes to the masked value y + m_j without exposing the intermediate value. Is performed using a combination of several transformations that act on GF (2 ^ K) and transformations that exchange two points.

  This is also a system with storage means that performs a cryptographic calculation process using the function Inv (the inverse function in GF (2 ^ k) where 0 is mapped to 0 as in AES), and the intermediate variable x of the calculation is For systems where additive masking x + m_i, where m_i is a mask and + is an XOR operator, exposes intermediate values if x is input and y = Inv (x + k) for any k The GF is defined as (ax + b) / (cx + d) with the addition of an infinite amount so that the masked value x + m_i directly becomes the masked value y + m_j without any change. It is characterized as a combination of several transformations acting on (2 ^ K) and a transformation that exchanges two points.

Claims (10)

The following types of homographic functions f on which the cryptographic computation process operates on masking variables
When (cz + d) is not equal to 0, f (z) = (az + b) / (cz + d)
F (−d / c) = a / c
A method of protecting an assembly, performing a cryptographic computation process using x, where x is the input of the function f for any k and y = f (x + k) is the output of the function f directly It acts on GF (2 ^ k) with an infinite amount of addition defined as (ax + b) / (cx + d) so that the masked value x + m_i (XOR type additive masking) is changed to the masked value y + m_j. A method characterized in that this operation is performed using a combination of several transforms that perform and transforms that exchange two points.   The method according to claim 1, characterized in that the operation f is a function Inv (an inverse function in GF (2 ^ k) in which 0 is mapped to 0 as in AES).   3. A method according to claim 1 or 2, characterized in that the protected calculation process is a line doll or AES.   2. Instead of additive masking of x by x + m, masking is performed for any homographic operation, and instead of x, the value of (ax + b) / (cx + d) is processed. 4. The method according to any one of items 1 to 3.   5. A method according to any one of claims 1 to 4, characterized in that the operation is performed using a table.   6. The method according to any one of claims 1 to 5, wherein the method is used to protect an implementation with a smart card, a USB token, a cryptographic module, or other dedicated hardware.   7. A method according to any one of the preceding claims, used to protect a software implementation (virtual smart card) with "code obfuscation".   8. A method according to any one of the preceding claims, used to protect an implementation (another type of virtual smart card) that is executed hidden on a remote server. Computation process storage means, means for processing the cryptographic calculation process, and the cryptographic calculation process operates on a masking variable of the following type homographic function f
When (cz + d) is not equal to 0, f (z) = (az + b) / (cz + d)
F (−d / c) = a / c
Where x is the input of the function f for any k and y = f (x + k) is the output of the function f, directly masked value x + m_i (of the XOR type) Several transformations acting on GF (2 ^ k) with an infinite amount of addition, defined as (ax + b) / (cx + d), so that it becomes the masked value y + m_j from the additive masking) and two points An electronic system comprising means for performing this operation using a combination with a transformation that exchanges   9. A computer program comprising program code instructions, wherein the computer program executes the method steps according to any one of claims 1 to 8 when the program is executed in an electronic system.